CISA added four vulnerabilities—CVE-2025-40551, CVE-2021-39935, CVE-2019-19006, and CVE-2025-64328—affecting SolarWinds Web Help Desk, GitLab, and Sangoma FreePBX to its Known Exploited Vulnerabilities catalog, including critical RCE, SSRF, authentication bypass, and command injection flaws. Federal civilian agencies must remediate the listed issues under BOD 22-01 by the specified deadlines (SolarWinds by Feb 6, others by Feb 24, 2026), and organizations are urged to review and patch affected systems promptly. #SolarWinds #FreePBX
Keypoints
- CVE-2025-40551 in SolarWinds Web Help Desk is a deserialization flaw (CVSS 9.8) that allows unauthenticated remote code execution.
- CVE-2021-39935 in GitLab is an SSRF vulnerability (CVSS 7.5) that has seen increased automated exploitation activity observed by GreyNoise.
- CVE-2019-19006 in Sangoma FreePBX is an improper authentication bug (CVSS 9.8) that lets attackers bypass login and gain full admin access.
- CVE-2025-64328 in FreePBX Endpoint Manager is an authenticated OS command injection (CVSS 8.6) enabling command execution as the asterisk user and potential server takeover.
- Under BOD 22-01, federal agencies must remediate these KEV-listed vulnerabilities by the deadlines, and private organizations are strongly advised to patch affected systems.